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programmable priority indications including multiple access control list entries, with a subset 

! with one or more of the entries, or with of these access control list entries identifying accounting 

the associative memory devices, associative memory banks, requests. Accounting mechanisms, such as, but not limited 

etc. The force no-hit indications are often used in response to counters or data structures, are associated with each of 

to identified deny instructions in an access control list or 5 said access control list entries in the subset of access control 

other policy map. A lookup operation is then performed on list entries identifying accounting requests. An item is iden- 

these associative memory entries, with highest matching tified. A particular one of the accounting mechanisms cor- 

result or results identified based on the programmed and/or responding to the item is identified and updated. In one 

implicit priority level associated with the entries, or with the embodiment, the item corresponds to one or more fields of 

associative memory devices, associative memory banks, etc. 10 a received packet. In one embodiment, the item includes at 

Methods and apparatus are disclosed for performing least one autonomous system number, said at least one 

lookup operations using associative memories, including, autonomous system number identify a set of communication 

but not limited to modifying search keys within an associa- devices under a single administrative authority. In one 

tive memory based on modification mappings, forcing a embodiment, at least one of the accounting mechanisms is 

no-hit condition in response to a highest-priority matching 15 associated with at least two different access control list 

entry including a force no-hit indication, selecting among entries in the subset of access control list entries identifying 
various associative memory blocks or sets or banks of accounting requests. 

associative memory entries in determining a lookup result, One embodiment merges lookup results, such as from one 
and detecting and propagating error conditions. In one or more associative memory banks and/or memory devices, 
embodiment, each block retrieves a modification mapping 20 One embodiment identifies an access control list including 
from a local memory and modifies a received search key multiple access control list entries. A first set of access 
based on the mapping and received modification data. In one control list entries corresponding to a first feature of the 
embodiment, each of the associative memory entries access control list entries and a second set of access control 
includes a field for indicating that a successful match on the list entries corresponding to a second feature of the access 
entry should or should not force a no-hit result. In one 25 control list entries are identified. A first associative memory 
embodiment, an indication of which associative memory bank is programmed with the first associative memory 
sets or banks or entries to use in a particular lookup entries and a second associative memory bank is pro- 
operation is retrieved from a memory. grammed with the second associative memory entries, with 

One embodiment performs error detection and handling the first associative memory entries having a higher lookup 

by identifying, handling and communication errors, which 30 precedence than the second associative memory entries. A 

may include, but is not limited to array parity errors in lookup value is then identified, such as that based on a 

associative memory entries and communications errors such packet or other item. Lookup operations are then typically 

as protocol errors and interface errors on input ports. Array performed substantially simultaneously on the first and 

parity errors can occur as a result of failure- in -time errors second sets of associative memory entries to generate mul- 

which are typical of semiconductor devices. One embodi- 35 tiple lookup results, with these results typically being iden- 

ment includes a mechanism to scan associative memory tified directly, or via a lookup operation in an adjunct 

entries in background, and to identify any detected errors memory or other storage mechanism. These lookup results 

back to a control processor for re-writing or updating the ar e fhm ™mhinH to generate a merged lookup result. ^ <*ml ~rK\<ns\ 

flawed entry. In one embodiment, certain identified errors or [FIGS. lA^E;^ re block diagrams of various exemplary J** 1 * 

received error conditions are of a fatal nature in which no 40 systems and configurations thereof, with these exemplary 

processing should be performed. For example, in one systems including one or more embodiments for performing 

embodiment, a fatal error causes an abort condition. In lookup operations using associative memories. First, FIG. 1 

response, the device stops an in-progress lookup operation illustrates one embodiment of a system, which may be part 

and just forwards error and possibly no-hit signals. Typi- of a router or other communications or computer system, for 

cally, these signals are generated at the time the in-progress 45 performing lookup operations to produce results which can 

lookup operation would have generated its result had it not be used in the processing of packets. In one embodiment, 

been aborted so as to maintain timing among devices in a control logic 110, via signals 111, programs and updates 

system including the associative memory. associative memory or memories 115, such as, but not 

In one embodiment, including cascaded or connected limited to one or more associative memory devices, banks, 

associative memory devices, error status messages indicat- 50 and/or sets of associative memory entries which may or may 

ing any error type and its corresponding source are propa- not be part of the same associative memory device and/or 

gated to indicate the error status to the next device and/or a bank. In one embodiment, control logic 110 also programs 

control processor. In addition, the communicated signal may memory 120 via signals 123. In one embodiment, control 

indicate and generate an abort condition in the receiving logic 110 includes custom circuitry, such as, but not limited 

device. In one embodiment, the receiving device does not 55 to discrete circuitry, ASICs, memory devices, processors, 

perform its next operation or the received instruction, or it etc. 

may abort its current operation or instruction. Moreover, the In one embodiment, packets 101 are received by packet 
receiving device may or may not delay a time amount processor 105. In addition to other operations (e.g., packet 
corresponding to that which its processing would have routing, security, etc.), packet processor 105 typically gen- 
required in performing or completing the operation or 60 erates one or more items, including, but not limited to one 
instruction so as to possibly maintain the timing of a or more packet flow identifiers based on one or more fields 
transactional sequence of operations. of one or more of the received packets 101 and possibly 
One embodiment generates accounting or other data from information stored in data structures or acquired from 
based on that indicated in an access control list or other other sources. Packet processor 105 typically generates a 
specification, and typically using associative memory entries 65 lookup value 103 which is provided to control logic 110 for 
in one or more associative memory banks and/or memory providing control and data information (e.g., lookup words, 
devices. One embodiment identifies an access control list modification data, profile IDs, etc.) to associative memory or 
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FIG. 5A illustrates of an output selector 500 (which may 
or may not correspond to an output selector 231-232 of FIG. 
2) used in one embodiment. As shown, output selector 500 
includes control logic 510 and memory 511. In one embodi- 
ment, programming signals 504 are received, and in 5 
response, one or more data structures in memory 511 are 
updated. 

FIG. 5B illustrates one data structure used in one embodi- 
ment. Available array 520 is programmed with an associa- 
tive memory blocks and optionally preyirms stage results io 
available for use indicator 525 for eac hfpronle I) 52lJo be 
used. Each indicator 525 identifies which, it any, associative 
memory blocks, sets of entries or associative memory banks 
are to be considered in determining which matching asso- 
ciative entry to select for the ultimate highest-priority 15 
matching associative memory entry. In one embodiment, 
indicator 525 further identifies which previous stage results 
to consider. In one embodiment, a priority level is associated 
with each of the banks and/or previous stage results. Thus, 
based on a profile ID 521 received over via selector control 20 
signal 501 (FIG. 5 A), available array 520 can be retrieved 
from memory 511 (FIG. 5A). In one embodiment, there is an 
implied priority ordering of associative memory blocks and 
any previous stage results, while in one embodiment this 
priority ordering for determining the ultimate highest-prior- 25 
ity matching entry is programmable and/or variable per 
lookup operation. In one embodiment, associative memory 
blocks available for use indicator 525 is a bitmap data 
structure, while in one embodiment, associative memory 
blocks available for use indicator 525 is a list, set, array, or 30 
any other data structure. 

Returning to FIG. 5A, in the performance of a lookup 
operation, output selector 500 receives selector control sig- 
nal 501, which may include a profile ID. In addition, output 
selector 500 receives any relevant previous stage results 502 35 
and results 503 from zero or more of the associative memory 
blocks from which the highest-priority entry will be 
selected, and which, if any, will be identified in generated 
result 515. 

Moreover, in one embodiment, selector control signal 501 40 
including an enable indication, the enable indication includ- 
ing an enabled or not enabled value, such that in when a not 
enable value is received, output selector 500 is not enabled 
and does not select among results from blocks 1-N 503 or 
optional previous stage results 502. In one embodiment, 45 
when not enabled, output selector 500 generates a result 
signal 515 indicting a no hit, not enabled, or some other 
predetermined or floating value. 

Additionally, in one embodiment, result 515 is commu- 
nicated over a fixed output bus, which may or may not be 50 
multiplexed with other results 515 generated by other output 
selectors 500. In one embodiment, the associative memory 
may include one or more output buses, each typically 
connected to a single pin of a chip of the associative 
memory, with the selection of a particular output bus pos- 55 
sibly being hardwired or configurable, with the configura- 
tion possibly being on a per lookup basis, such as that 
determined from a received value or configuration informa- 
tion retrieved from a memory (e.g., based on the current 
profile ID.) In such a configuration, control logic 510 (or 60 
other mechanism) typically selects which output bus (and 
the timing of sending result 515) to use for a particular or all 
results 515. 

A process used in one embodiment for receiving and 
selecting a highest-priority associative memory entry, if any, 65 
is illustrated in FIG. 5C. Processing begins with process 
block 540, and proceeds to process block 542, wherein the 
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results from the associative memory blocks and the profile 
ID are received. In process block 544, the set of associative 
memory blocks to consider in determining the result is 
retrieved from a data structure/memory based on the profile 
ID. In process block 546, any relevant previous stage results 
are received from coupled associative memories. Next, in 
process block 548, the highest priority match from the 
available associative memory block and previous stage 
results is identified, if any, based on the implied and/or 
programmed priority values associated with the matching 
entries and/or associative memories, blocks, etc. Then, in 
process block 550, the result is communicated over a fixed 
or identified output bus/pin or to some other destination, 
with the result typically including a no hit indication or a hit 
indication and an identification of the ultimate highest- 
priority matching associative memory entry. Processing is 
complete as indicated by process block 552. 

FIG. 6A illustrates an exemplary policy map 600, includ- 
ing deny and permit instructions. Note, there are many 
applications of embodiments, and not all use permit and 
deny instructions. FIG. 6B illustrates associative memory 
entries 621 and 622 as determined by one embodiment based 
on policy map 600. Associative memory entries 621 and 622 
could be programmed in a same or different associative 
memories or associative memory blocks. Associative 
memory entries 621 and 622 are shown in separate group- 
ings to illustrate how priority can be optionally used and 
programmed in one embodiment. As shown, the deny state- 
ments in policy map 600 generate force no-hit indications 
(e.g., FORCE NO-HIT=l) in corresponding entries of 
entries 621 and 622. 

By using the optional priority indications, entries 621 and 
622 can be stored in different associative memories and/or 
associative memory banks, etc., to possibly consider in 
determining where to store the entries in order to efficiently 
use the space available for the entries. By associating a 
priority level with each entry, entries within a same asso- 
ciative memory and/or associate memory block, etc. can 
have different priority levels, which gives great flexibility in 
programming and managing the entries and space available 
for storing the entries. 

FIG. 6C illustrates a data structure 650 for indicating 
priority of associative memories, blocks, or entries, etc. used 
in one embodiment. As shown, priority mapping data struc- 
ture 650 provides a priority indication 652 (e.g., value) for 
each of the associative memories, associative memory 
blocks, associative memory entries, etc. (identified by indi- 
ces 651). Associative memories and/or blocks, etc. associ- 
ated with programmed priority values can be used with or 
without programmed priority values associated with the 
associative memory entries themselves. 

FIG. 7A illustrates a process for programming associative 
memory entries used in one embodiment. Processing begins 
with process block 700, and proceeds to process block 702, 
wherein a policy map (e.g., any definition of desired actions, 
etc.) is identified. Next, in process block 704, a set of 
corresponding entries is identified based on the policy map. 
In process block 706, a force no -hit indication is associated 
with one or more of the entries (if so correspondingly 
defined by the policy map). A force no-hit indication is of 
particular use in implementing deny operations, but is not 
required to be identified with a deny operation. Next, in 
process block 708, optionally, priority indications are asso- 
ciated with each of the entries, associative memories, asso- 
ciative memory banks, etc. In process block 710, one or 
more associative memories and/or banks are programmed 
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list entries. In process block 944, a second set of the access destination ASNs. In process block 983, a security lookup 

control list entries corresponding to a second feature of the value is identified. In process block 984, lookup operations 

access control list entries is identified. In process block 945, are performed based on the security lookup value in multiple 

a second associative memory bank and a second adjunct associative memory banks and one or more adjunct memo- 

memory are programmed with entries corresponding to the 5 ries to identify multiple security results, which are merged in 
second set of access control list entries. The first set of process block 985 to identify the merged security result, 

associative memory entries have a higher lookup precedence Also, this merged security result is stored in a data structure 

than the second set of associative memory entries. Process- or other mechanism for use in identifying the merged QoS 

ing is complete as indicated by process block 946. and accounting results. 

FIG. 9F illustrates a process used by one embodiment to 10 In process block 986, the QoS lookup value is identified, 

perform lookup operations and to identify the merged result. In process block 987, lookup operations are performed 

Processing begins with process block 950, and proceeds to based on the QoS lookup value in multiple associative 

process block 951, wherein a lookup value is identified. memory banks and one or more adjunct memories to iden- 

Next, in process block 952, lookup operations are performed tify multiple QoS results, which, in process block 988, are 

in the first and second associative memory banks and 15 merged along with the previously determined merged secu- 

adjunct memories to generate first and second lookup rity result to identify the merged QoS result, 

results, which are merged in process block 953 to identify In process block 989, the accounting lookup value is 

the merged result. Processing is complete as indicated by identified. In process block 990, lookup operations are 

process block 954. performed based on the accounting lookup value in multiple 

FIG. 9G illustrates a lookup value 960, result value 965, 20 associative memory banks and one or more adjunct memo- 

and merged result value 967 used in one embodiment. As ries to identify multiple accounting results, which, in process 

shown, lookup value 960 includes a lookup type 960A, block 991, are merged along with the previously determined 

source address 960B, destination address 960C, source port merged security result to identify the merged accounting 

960D, destination port 960E, protocol type 960F, source result. Also, an identified counter or other accounting 

~l ^£EO60G, destination ASN 960H, and possibly other fields 25 mechanism is updated. Processing is complete as indicated 

lkjU-L ^9001/One embodiment uses all, less than all, or none of by process block 992. 

nelas 960A-960I. In view of the many possible embodiments to which the 

As shown, result value 965 includes a result type 965A, principles of our invention may be applied, it will be 

an action or counter indication 965B, and a precedence appreciated that the embodiments and aspects thereof 

indication 965C. In one embodiment, result value 965 is 30 described herein with respect to the drawings/figures are 

programmed in the adjunct memories. One embodiment only illustrative and should not be taken as limiting the 

uses all, less than all, or none of fields 965A-965C. scope of the invention. For example and as would be 

As shown, merged result value 967 includes a result type apparent to one skilled in the art, many of the process block 

967A and an action or counter indication 967B. One operations can be re-ordered to be performed before, after, 

embodiment uses all, less than all, or none of fields 35 or substantially concurrent with other operations. Also, 

967A-967B. many different forms of data structures could be used in 

FIGS. 9H-9J illustrate merging logic truth tables 970, various embodiments. The invention as described herein 

972, and 974 for generating the merged result. In one contemplates all such embodiments as may come within the 

embodiment, the merge result of a security lookup operation scope of the following claims and equivalents thereof, 

is illustrated in security combiner logic 970, and is based on 40 j s claimed is* 

the results of up to four substantially simultaneous (or not) j A Zlrifor performing operations for programming 

lookup operat.ons w.th differing precedence indicated in one or more assoc 4ve memories, the method comprising: 

columns 970A-970D, with the corresponding merged result . , o _ , J" 

shown in column 970E. Note, the "--"in the ffields indicate identifying a specified policy map, 

a don't care condition as a merged result corresponding to a 45 determining a set ° f entnes based on ** s P ecified P 01 "* 

« . , • • i, i i r map; and 

higher priority will be selected. f . _ ...... 

In one embodiment, the merge result of a Quality of associating a force no-hit indication with one or more 

Service (QoS) lookup operation is illustrated in security entries ot the set ot entries, 

combiner logic 972, and is based on the results of a wherem me force no-liit rndication, when associated with 

previously merged security lookup operation and up to four 50 a determined highest-matching entry of a group of 

substantially simultaneous (or not) lookup operations with entr > es Pupating m a lookup operation, causes the 

differing precedence indicated in columns 972A-970E, with result of *• loo j ku P operation for the group of entries 

the corresponding merged result shown in column 972F. t0 be considered as not resultmg in a hit. 

In one embodiment, the merge result of an accounting 2 - method of clalm *> comprising programming one 

lookup operation is illustrated in accounting combiner logic 55 or more associative memories with the set of entries. 

972, and is based on the results of a previously merged 3 The method of claim 1, compnsmg programming a 

security lookup operation and up to four substantially simul- plurality of banks of an associative memory with the set of 

taneous (or not) lookup operations with differing precedence entries. 

indicated in columns 974A-974E, with the corresponding 4 . The metl ? od of claim 3 > comprising associating a 

merged result shown possibly identifying a counter to be 60 priority indication with each entry of the set of entries, 

updated in column 972F. 5. The method of claim 4, comprising: 

FIG. 9K illustrates a process used in one embodiment, to programming a plurality of banks of an associative 

generate a security merged result, a QoS merged result, and memory with the set of entries; and 

an accounting merged result. Processing begins with process associating a programmable priority level with each of the 

block 980, and proceeds to process block 981, wherein a 65 plurality of banks. 

packet is identified. Next, in process block 982, one or more 6. The method of claim 1, wherein at least one of said one 

FIB lookup operations are performed to identify source and or more entries corresponds to a deny operation. 
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associative memory entries to generate multiple lookup results, with these results 
typically being identified directly, or via a lookup operation in an adjunct memory or 
other storage mechanism. These lookup results are then combined to generate a merged 
. lookup result. 

1 5 C«^i^p re Wock diagrams of various exemplary systems and configurations 

thereof, with these exemplary systems including one or more embodiments for 
performing lookup operations using associative memories. First, FIG. 1 illustrates one 
embodiment of a system, which may be part of a router or other communications or 
computer system, for performing lookup operations to produce results which can be used 
in the processing of packets. In one embodiment, control logic 1 10, via signals 111, 
programs and updates associative memory or memories 115, such as, but not limited to 
one or more associative memory devices, banks, and/or sets of associative memory 
entries which may or may not be part of the same associative memory device and/or bank. 
In one embodiment, control logic 1 10 also programs memory 120 via signals 123. In one 
embodiment, control logic 1 10 includes custom circuitry, such as, but not limited to 
discrete circuitry, ASICs, memory devices, processors, etc. 

In one embodiment, packets 101 are received by packet processor 105. In addition 
to other operations (e.g., packet routing, security, etc.), packet processor 105 typically 
generates one or more items, including, but not limited to one or more packet flow 
20 identifiers based on one or more fields of one or more of the received packets 101 and 

possibly from information stored in data structures or acquired from other sources. Packet 
processor 105 typically generates a lookup value 103 which is provided to control logic 
1 10 for providing control and data information (e.g., lookup words, modification data, 
profile IDs, etc.) to associative memory or memories 115, which perform lookup 
operations and generate one or more results 1 1 7. In one embodiment, a result 1 17 is used 
is by memory 120 to produce a result 125. Control logic 1 10 then relays result 107, based 
on result 1 1 7 and/or result 125, to packet processor 1 05. In response, one or more of the 
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indication 420 (FIG. 4C) is used. Processing is complete as indicated by process block 
499. 

FIG. 5 A illustrates of an output selector 500 (which may or may not correspond to 
an output selector 231-232 of FIG. 2) used in one embodiment. As shown, output selector 
500 includes control logic 510 and memory 51 1. In one embodiment, programming 
signals 504 are received, and in response, one or more data structures in memory 51 1 are 
updated. 

FIG. 5B illustrates one data structure used in one embodiment. Available array 
520 is programmed with an associative memory blocks and optionally previous stage 
results available for use indicator 525 for each fprofile ID 52l) to be used. Each indicator Cd H lltou l| 
525 identifies which, if any, associative memory blocks, sets of entries or associative ' 
memory banks are to be considered in determining which matching associative entry to 
select for the ultimate highest-priority matching associative memory entry. In one 
embodiment, indicator 525 further identifies which previous stage results to consider. In 
1 5 one embodiment, a priority level is associated with each of the banks and/or previous 
stage results. Thus, based on a profile ID 521 received over via selector control signal 501 
(FIG. 5 A), available array 520 can be retrieved from memory 5 1 1 (FIG. 5 A). In one 
embodiment, there is an implied priority ordering of associative memory blocks and any 
previous stage results, while in one embodiment this priority ordering for determining the 
20 ultimate highest-priority matching entry is programmable and/or variable per lookup 

operation. In one embodiment, associative memory blocks available for use indicator 525 
is a bitmap data structure, while in one embodiment, associative memory blocks available 
for use indicator 525 is a list, set, array, or any other data structure. 

Returning to FIG. 5 A, in the performance of a lookup operation, output selector 
25 500 receives selector control signal 501, which may include a profile ED. In addition, 
output selector 500 receives any relevant previous stage results 502 and results 503 from 
zero or more of the associative memory blocks from which the highest-priority entry will 
be selected, and which, if any, will be identified in generated result 515. 

28 
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FIG. 9F illustrates a process used by one embodiment to perform lookup 
operations and to identify the merged result. Processing begins with process block 950, 
and proceeds to process block 951, wherein a lookup value is identified. Next, in process 
block 952, lookup operations are performed in the first and second associative memory 
5 banks and adjunct memories to generate first and second lookup results, which are 
merged in process block 953 to identify the merged result. Processing is complete as 
indicated by process block 954. 

FIG. 9G illustrates a lookup value 960, result value 965, and merged result value 
967 used in one embodiment. As shown, lookup value 960 includes a lookup type 960A, 
10 source address 960B, destination address 960C, source port 960D, destination port 960E, 
pjgiocol type 960F, source ASN 960G, destination ASN 960H, and possibly other fields 
2^ P^pbne embodiment uses all, less than all, or none of fields 960A-960I. 

As shown, result value 965 includes a result type 965 A, an action or counter 
indication 965B, and a precedence indication 965C. In one embodiment, result value 965 
15 is programmed in the adjunct memories. One embodiment uses all, less than all, or none 
of fields 965A-965C. 

As shown, merged result value 967 includes a result type 967A and an action or 
counter indication 967B. One embodiment uses all, less than all, or none of fields 
967A-967B. 

20 FIGs. 9H-9J illustrate merging logic truth tables 970, 972, and 974 for generating 

the merged result. In one embodiment, the merge result of a security lookup operation is 
illustrated in security combiner logic 970, and is based on the results of up to four 
substantially simultaneous (or not) lookup operations with differing precedence indicated 
in columns 970A-970D, with the corresponding merged result shown in column 970E. 

25 Note, the in the fields indicate a don't care condition as a merged result 
corresponding to a higher priority will be selected. 

In one embodiment, the merge result of a Quality of Service (QoS) lookup 
operation is illustrated in security combiner logic 972, and is based on the results of a 
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